CODEWITHSUNDEEP
javajakarta-eessl-certificatehttpurlconnectionwebsphere-liberty
Krishna Chaitanya
Krishna Chaitanya

Reputation: 2663

Disabling hostname verification

Our web application calls several web services internally using Jersey client API. Few services are secure and we use certificates to authenticate.

Due to some reasons we want to disable hostname verification on few services.

So I searched for some examples and found the below links and the service started working as expected after disabling the verification.

Link1, link2, link3

While going through the third link I noticed a call to HttpsURLConnection.setDefaultHostnameVerifier(allHostsValid);

I am assuming that, because of the above call, hostname verification will be disabled on all subsequent web service calls.

If my assumption is right, how do I disable verification only on a particular service?

HostnameVerifier allHostsValid = new HostnameVerifier() { 
    public boolean verify(String hostname, SSLSession session) {
     if(hostname.equals("xyz")) {
         return true; 
     } else {
         // How do I implement this section?
         // if I return false will the server perform the verification? If not how do I implement this?
     }
    } 
};

Upvotes: 0

Views: 10134

Answers (1)

Azquelt
Azquelt

Reputation: 1495

In you're using HttpsUrlConnection directly then once you've opened the connection (with URL.openConnection()) you can call connection.setHostnameVerifier(allHostsValid) to set the hostname verifier for that single connection.

EDIT:

As you're using Jersey, it looks like there are two options depending on whether you're using Jersey 1 or 2.

For Jersey 2 you can set the Hostname Verifier on the ClientBuilder when you create the client.

ClientBuilder.newBuilder().hostnameVerifier(allHostsValid).build();

You'd want to make two clients and use a different one depending on which service you were connecting to. However, there is a warning in the jersey docs noting that that this only works with certain connector providers, and I'm not sure which you'd be using.

This is a standard API so it should work for any compliant JAX-RS 2.0 client (including Liberty's jaxrsClient-2.0 feature).

For Jersey 1 it looks like you can set a property on the client or on the client request.

HTTPSProperties httpsProps = new HTTPSProperties(allHostsValid);
client.getProperties().put(HTTPSProperties.PROPERTY_HTTPS_PROPERTIES, httpsProps);

Upvotes: 1

Related Questions